Mobile Threat Blog

Share

Have we seen the end of iOS hot patching?

Hot patching allows developers to update their apps instantly without going through the standard procedure of app submission and vetting. Both Rollout.io and JSPatch are popular hot patching frameworks for iOS. Rollout.io is a secure and commercial framework. JSPatch is open-source and popular among Chinese app developers. Apps using these frameworks have been in the official Apple store for about two years, but in April 2017 Apple began banning them.

Appthority covered in a blog post on JSPatch that apps built using this type of “hot patch” framework expose an enterprise to significant risks, including but not limited to data leakage and privacy violation. In its letter to iOS app developers, Apple states, “Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.”

So, is it safe now?

Source: Appthority analyzed apps database

As shown in the chart above, the number of newly submitted iOS apps with these hot-patching frameworks dropped dramatically after Apple started banning them. Without these frameworks, it will be a little harder for attackers to hide their malicious behaviors with dynamic updates or launch serious man-in-the-middle attacks.

However, Appthority researchers believe that this type of risk remains a potential threat to enterprises. Here are two big reasons:

First, there are another set of apps, such as React Native (by Facebook) and Cordova (by Apache), which allow app developers to write cross-platform apps in Javascript and transform them into both Android and iOS apps. Although they do not market themselves as “iOS hot patching” frameworks, there are several third-parties creating dynamic updates for these frameworks. Even Microsoft invented Code Push, a dynamic update framework for these apps created using React Native and Cordova. Appthority researchers are waiting to see if Apple will ban use of frameworks from Apache, Facebook or Microsoft next.

Second, iOS includes the JavascriptCore framework, which provides a legitimate way for apps to communicate with web javascripts. Thus, attackers can still write their apps with their own Javascript interfaces loading malicious behaviours remotely without using these ready-made frameworks.

Recommendations

There is no easy way to avoid the risks these frameworks present but to minimize the risk of apps with these frameworks, users should make it a practice to only download apps from trusted app stores such as the Apple App or Google Play store. Additionally they are advised to read reviews to look for any indications that the app does not function in expected ways.

Appthority customers can have visibility into affected apps by configuring behaviors “Uses JSPatch For Hot Patching” as well as “Uses Rollout.io For Hot Patching” as part of an Appthority policy. Appthority customers can also leverage the underlying behavior, “Performs Dynamic Symbol Lookups”, to detect apps that can dynamically load code not related to the use of a specific framework or SDK.